Our PCI-DSS Level 1 audit has asked us to show logs when any attempt to kill any Sophos process is done. None can be found, despite Sophos Support claiming an event is logged in Event Viewer - no Event Source, Event ID or other information was provided to prove this is the case. An "Access Denied" Error is generated by tamper protection, that's nice. We have no proof that someone or something attempted to circumvent Sophos until it has actually be circumvented - alert in Sophos central that the computer is no longer protected, nor how long this attempt to circumvent has been underway. Like closing the barn doors after the cows have left.

Use Case:
- a malicious attacker (External actor or disgruntled employee) manages to gain access to a workstation or server via a legitimate path - Powershell WRM or Interactive console access - without triggering any other malicious payload alert by Sophos - an otherwise legit login to the targeted machine/environment (credentials obtained via phishing attack). Then the attacker attempts to stop Sophos. At the absolute minimum an audit log in the Windows Security Event Viewer log should be logged of the attempt, like any other access denied log windows generates for system events. This will allow administrators to see any potential attacks under way that have not otherwise triggered a malicious payload alert or even something in the Tamper Protection logs themselves and not just "Tamper Protection has been disabled". The logs can also be analyzed in real time by 3rd party monitoring platforms like SumoLogic that can correlate the data from the Windows Event Logs, that Sophos is simply not designed to do. And with appropriate setup, can be alerted with Real Time Alerts from the 3rd party monitoring platform or even Sophos Central if the attempt to kill any Sophos process is relayed back to Sophos Central alerting.

Example Log:

An attempt was made to access an object.

Subject:
Security ID: ad\UserName (or Local System Account if accessed via System account)
Account Name: UserName
Account Domain: ad
Logon ID: 0xFFFFFFFF

Object:
Object Server: Security
Object Type: File
Object Name: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
Handle ID: 0x0000
Resource Attributes: S:AI

Process Information:
Process ID: 0x000
Process Name: C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe

Access Request Information:
Accesses: EndTask
Outcome: Access Denied

Could you possibly add the ability to scan newly created text or html documents for common phrases found in the ransom notes of current ransomware strains? Seems to be a common sense approach to detecting this kind of infection and preventing it from spreading much beyond the original point of infection. Think of it as DLP in reverse, people really shouldn't have the need to type things like "What happened to your files" or "Your files have been encrypted using the latest..." so the only possible source would be malicious software. On a Windows server you could easily get the owner of the file and change the ACL on all network shares to either block that user or change the rights to read only.